The business and culture of our digital lives, from the L.A. Times

Report: IRS databases with taxpayer data vulnerable to hackers

June 23, 2011 | 5:27
pm

Updated at 6:16 p.m. with IRS response, below.

Thousands of Interal Revenue Service databases that hold sensitive taxpayer information use outdated security software, leaving them vulnerable to hackers, according to a government office that monitors the IRS.

The Treasury Inspector General for Tax Administration said that an audit of IRS databases revealed that 2,200 databases the IRS employs to "to manage and process taxpayer data are not configured securely, are running out-of-date software, and no longer receive security patches."

The audit, completed in May but released publicly [PDF] on Thursday, also said that the IRS had not completed its plans to scan its many databases for vulnerabilities.

"As all government databases are becoming favored targets of hackers, the importance of protecting IRS databases cannot be overstated," J. Russell George, the inspector general in charge of the audit, said in a statement. "Any failure to maintain IRS databases with the right amount of security diligence can allow disgruntled insiders or malicious outsiders to exploit security weaknesses to gain unauthorized access to taxpayer data, resulting in identity theft, fraud, or other types of illegal activity."

The IRS largely agreed with the report's findings and recommendations, and commited to fixing the issues by December. In a statement on Thursday, a spokesperson for the agency noted that the report made "no direct assertion that any taxpayer data is at risk" and that most of the databases in question do not contain taxpayer data. (See full statement below).

The report comes as a raft of government agencies and private companies have faced hacking attacks, including Sony Corp., CitiGroup, the CIA, and potentially law enforcement agencies in Arizona. The surge in hacking attacks has caused serious concern in both the public and private sectors. It is widely agreed in the security community that hackers can now outwit digital security measures at many, if not most, organzations.

The IRS issued the following statement in response to the publication of the report:

The IRS takes the security of our databases very seriously. We want to be very clear that while this report points out a number of technical issues, many of which have been resolved, there is no direct assertion that any taxpayer data is at risk. In fact, it should be noted that many of the databases referenced in this report don't store any taxpayer data at all.

The IRS emphasizes these databases are used internally and are not directly accessed by the public.

Security enhancement is an ongoing investment as the external world changes. We continue to make substantial investments, and test our capabilities on an ongoing basis.

It's also important to note there have been no actual data breaches involving these databases.